Restrictive access control for modular reflection

ABSTRACT

Access to a module element within a first module by a second module is prohibited if the module element within the first module has not been exposed to the second module. If a particular module element within a first module has been exposed to a second module, then access to the particular module element by the second module may or may not be allowed depending on: (a) whether the particular module element has been declared with a public or non-public access modifier, (b) whether a second exposed module element, which includes the particular module element, has been declared with a public or non-public access modifier, (c) a level of access associated with the operation that attempts to access the particular module element of the first module, and/or (d) whether an accessibility override configuration is set for accessing the particular module element.

BENEFIT CLAIM; INCORPORATION BY REFERENCE

This application claims priority as a Continuation of U.S.Non-Provisional application Ser. No. 14/847,800 filed on Sep. 8, 2015which claims benefit to U.S. Provisional Application No. 62/209,878filed on Aug. 25, 2015, the content of both of which is herebyincorporated by reference.

TECHNICAL FIELD

The present disclosure relates to module systems. In particular, thepresent disclosure relates to restricting access to non-exposed moduleelements in a module system.

BACKGROUND

A module system permits the definition of a set of modules. Each modulein a module system corresponds to a respective collection of code. Amodule system specifies how a collection of code corresponding to aparticular module can access code corresponding to other modules. Amodule descriptor (interchangeably referred to as a “module interface”),for a particular module, expresses other modules upon which theparticular module may depend. The declaration of a dependency on anothermodule may be referred to as an explicit dependency. A module descriptoralso expresses the elements of a particular module that are exposed bythe particular module to the other modules which declare an explicitdependency on the particular module. Other modules which do not declarean explicit dependency on the particular module are restricted fromaccessing such elements.

Conventionally, module systems are designed to allow certain accesstechniques and/or accessibility configurations to override accessrestrictions declared in a module descriptor. In one example, reflectiveApplication Programming Interfaces (APIs) (such as java.lang.reflect inJava SE) allow a test framework module to access a module element withina particular module even if that module element has not been exposed bythe particular module to the test framework module. In another example,the .NET platform's reflective API allows for access to the internals ofany module.

The approaches described in this section are approaches that could bepursued, but not necessarily approaches that have been previouslyconceived or pursued. Therefore, unless otherwise indicated, it shouldnot be assumed that any of the approaches described in this sectionqualify as prior art merely by virtue of their inclusion in thissection.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments are illustrated by way of example and not by way oflimitation in the figures of the accompanying drawings. It should benoted that references to “an” or “one” embodiment in this disclosure arenot necessarily to the same embodiment, and they mean at least one. Inthe drawings:

FIG. 1 illustrates an example computing architecture in which techniquesdescribed herein may be practiced.

FIG. 2 is a block diagram illustrating one embodiment of a computersystem suitable for implementing methods and features described herein.

FIG. 3 illustrates an example virtual machine memory layout in blockdiagram form according to an embodiment.

FIG. 4 illustrates an example of a module in the Java Module System inaccordance with one or more embodiments.

FIG. 5 illustrates operations in accordance with one or moreembodiments.

FIG. 6 illustrates a system in accordance with one or more embodiments.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding. One or more embodiments may be practiced without thesespecific details. Features described in one embodiment may be combinedwith features described in a different embodiment. In some examples,well-known structures and devices are described with reference to ablock diagram form in order to avoid unnecessarily obscuring the presentinvention.

-   -   1. General Overview    -   2. Architectural Overview        -   2.1 Example Class File Structure        -   2.2 Example Virtual Machine Architecture        -   2.3 Loading, Linking, and Initializing    -   3. Module Elements of a Module in a Module System    -   4. Access Kinds for Accessing Module Elements    -   5. Controlling Access to Module Elements    -   6. Miscellaneous; Extensions    -   7. Hardware Overview

1. General Overview

One or more embodiments include strictly controlling access to modulesin a module system.

In one embodiment, access to a module element within a first module by asecond module is strictly prohibited if the module element within thefirst module has not been exposed to the second module. Access to thenon-exposed module element of the first module by the second module isstrictly prohibited regardless of (a) whether the non-exposed moduleelement has been declared with a public or non-public access modifier,(b) the level of access associated with the operation that attempts toaccess the non-exposed module element of the first module, and (c)whether an accessibility override configuration is set for thenon-exposed module element. In an example, access by a consumer moduleto a non-exposed module element of a provider module is prohibited evenwhen access is attempted using a reflective operation with anaccessibility override configuration being set for attempting to accessthe non-exposed module element.

In an example, access to a non-exposed module element within a firstmodule by a second module is strictly prohibited even when the access isattempted using reflective operations with an accessibility overrideconfiguration that sets the non-exposed module element to be publiclyaccessible.

In an embodiment, if a particular module element within a first modulehas been exposed to a second module, then access to the particularmodule element by the second module may or may not be allowed.Permissions for accessing the exposed particular module element may bedetermined based on one or more factors including, but not limited to:(a) whether the particular module element has been declared with apublic or non-public access modifier, (b) whether a second exposedmodule element, which includes the particular module element, has beendeclared with a public or non-public access modifier, (c) the level ofaccess associated with the operation that attempts to access thenon-exposed module element of the first module, and (d) whether anaccessibility override configuration is set for the non-exposed moduleelement.

In an example, a module element, in a first module, is a fielddeclaration with a non-public access modifier. The field declaration iswithin a class declaration with a public access modifier. Both the fielddeclaration and the class declaration are exposed by way of exposing apackage which includes the class declaration (and as a result, the fielddeclaration). If a second module attempts to access the fielddeclaration (with the non-public access modifier) using a reflectiveoperation, access is allowed or prohibited based on whether or not thereflective operation sets an accessibility override configuration forthe field declaration. If the accessibility override configuration isnot set, the non-public access modifier in the field declarationdictates that the second module is prohibited from accessing the fielddeclaration. If the accessibility override configuration is set, thenon-public access modifier in the field declaration is overridden andthe second module is allowed to access the field declaration.

One or more embodiments described in this Specification and/or recitedin the claims may not be included in this General Overview section.

2. Architectural Overview

FIG. 1 illustrates an example architecture in which techniques describedherein may be practiced. Software and/or hardware components describedwith relation to the example architecture may be omitted or associatedwith a different set of functionality than described herein. Softwareand/or hardware components, not described herein, may be used within anenvironment in accordance with one or more embodiments. Accordingly, theexample environment should not be constructed as limiting the scope ofany of the claims.

As illustrated in FIG. 1, a computing architecture 100 includes sourcecode files 101 which are compiled by a compiler 102 into class files 103representing the program to be executed. The class files 103 are thenloaded and executed by an execution platform 112, which includes aruntime environment 113, an operating system 111, and one or moreapplication programming interfaces (APIs) 110 that enable communicationbetween the runtime environment 113 and the operating system 111. Theruntime environment 112 includes a virtual machine 104 comprisingvarious components, such as a memory manager 105 (which may include agarbage collector), a class file verifier 106 to check the validity ofclass files 103, a class loader 107 to locate and build in-memoryrepresentations of classes, an interpreter 108 for executing the virtualmachine 104 code, and a just-in-time (JIT) compiler 109 for producingoptimized machine-level code.

In an embodiment, the computing architecture 100 includes source codefiles 101 that contain code that has been written in a particularprogramming language, such as Java, C, C++, C#, Ruby, Perl, and soforth. Thus, the source code files 101 adhere to a particular set ofsyntactic and/or semantic rules for the associated language. Forexample, code written in Java adheres to the Java LanguageSpecification. However, since specifications are updated and revisedover time, the source code files 101 may be associated with a versionnumber indicating the revision of the specification to which the sourcecode files 101 adhere. The exact programming language used to write thesource code files 101 is generally not critical.

In various embodiments, the compiler 102 converts the source code, whichis written according to a specification directed to the convenience ofthe programmer, to either machine or object code, which is executabledirectly by the particular machine environment, or an intermediaterepresentation (“virtual machine code/instructions”), such as bytecode,which is executable by a virtual machine 104 that is capable of runningon top of a variety of particular machine environments. The virtualmachine instructions are executable by the virtual machine 104 in a moredirect and efficient manner than the source code. Converting source codeto virtual machine instructions includes mapping source codefunctionality from the language to virtual machine functionality thatutilizes underlying resources, such as data structures. Often,functionality that is presented in simple terms via source code by theprogrammer is converted into more complex steps that map more directlyto the instruction set supported by the underlying hardware on which thevirtual machine 104 resides.

In general, programs are executed either as a compiled or an interpretedprogram. When a program is compiled, the code is transformed globallyfrom a first language to a second language before execution. Since thework of transforming the code is performed ahead of time; compiled codetends to have excellent run-time performance. In addition, since thetransformation occurs globally before execution, the code can beanalyzed and optimized using techniques such as constant folding, deadcode elimination, inlining, and so forth. However, depending on theprogram being executed, the startup time can be significant. Inaddition, inserting new code would require the program to be takenoffline, re-compiled, and re-executed. For many dynamic languages (suchas Java) which are designed to allow code to be inserted during theprogram's execution, a purely compiled approach may be inappropriate.When a program is interpreted, the code of the program is readline-by-line and converted to machine-level instructions while theprogram is executing. As a result, the program has a short startup time(can begin executing almost immediately), but the run-time performanceis diminished by performing the transformation on the fly. Furthermore,since each instruction is analyzed individually, many optimizations thatrely on a more global analysis of the program cannot be performed.

In some embodiments, the virtual machine 104 includes an interpreter 108and a JIT compiler 109 (or a component implementing aspects of both),and executes programs using a combination of interpreted and compiledtechniques. For example, the virtual machine 104 may initially begin byinterpreting the virtual machine instructions representing the programvia the interpreter 108 while tracking statistics related to programbehavior, such as how often different sections or blocks of code areexecuted by the virtual machine 104. Once a block of code surpass athreshold (is “hot”), the virtual machine 104 invokes the JIT compiler109 to perform an analysis of the block and generate optimizedmachine-level instructions which replaces the “hot” block of code forfuture executions. Since programs tend to spend most time executing asmall portion of overall code, compiling just the “hot” portions of theprogram can provide similar performance to fully compiled code, butwithout the start-up penalty. Furthermore, although the optimizationanalysis is constrained to the “hot” block being replaced, there stillexists far greater optimization potential than converting eachinstruction individually. There are a number of variations on the abovedescribed example, such as tiered compiling.

In order to provide clear examples, the source code files 101 have beenillustrated as the “top level” representation of the program to beexecuted by the execution platform 111. Although the computingarchitecture 100 depicts the source code files 101 as a “top level”program representation, in other embodiments the source code files 101may be an intermediate representation received via a “higher level”compiler that processed code files in a different language into thelanguage of the source code files 101. Some examples in the followingdisclosure assume that the source code files 101 adhere to a class-basedobject-oriented programming language. However, this is not a requirementto utilizing the features described herein.

In an embodiment, compiler 102 receives as input the source code files101 and converts the source code files 101 into class files 103 that arein a format expected by the virtual machine 104. For example, in thecontext of the JVM, the Java Virtual Machine Specification defines aparticular class file format to which the class files 103 are expectedto adhere. In some embodiments, the class files 103 contain the virtualmachine instructions that have been converted from the source code files101. However, in other embodiments, the class files 103 may containother structures as well, such as tables identifying constant valuesand/or metadata related to various structures (classes, fields, methods,and so forth).

The following discussion assumes that each of the class files 103represents a respective “class” defined in the source code files 101 (ordynamically generated by the compiler 102/virtual machine 104). However,the aforementioned assumption is not a strict requirement and willdepend on the implementation of the virtual machine 104. Thus, thetechniques described herein may still be performed regardless of theexact format of the class files 103. In some embodiments, the classfiles 103 are divided into one or more “libraries” or “packages”, eachof which includes a collection of classes that provide relatedfunctionality. For example, a library may contain one or more classfiles that implement input/output (I/O) operations, mathematics tools,cryptographic techniques, graphics utilities, and so forth. Further,some classes (or fields/methods within those classes) may include accessrestrictions that limit their use to within a particularclass/library/package or to classes with appropriate permissions.

2.1 Example Class File Structure

FIG. 2 illustrates an example structure for a class file 200 in blockdiagram form according to an embodiment. In order to provide clearexamples, the remainder of the disclosure assumes that the class files103 of the computing architecture 100 adhere to the structure of theexample class file 200 described in this section. However, in apractical environment, the structure of the class file 200 will bedependent on the implementation of the virtual machine 104. Further, oneor more features discussed herein may modify the structure of the classfile 200 to, for example, add additional structure types. Therefore, theexact structure of the class file 200 is not critical to the techniquesdescribed herein. For the purposes of Section 2.1, “the class” or “thepresent class” refers to the class represented by the class file 200.

In FIG. 2, the class file 200 is made up of class members including, butnot limited to, a constant table 201, field structures 208, classmetadata 204, and method structures 209. In an embodiment, the constanttable 201 is a data structure which, among other functions, acts as asymbol table for the class. For example, the constant table 201 maystore data related to the various identifiers used in the source codefiles 101 such as type, scope, contents, and/or location. The constanttable 201 has entries for value structures 202 (representing constantvalues of type int, long, double, float, byte, string, and so forth),class information structures 203, name and type information structures205, field reference structures 206, and method reference structures 207derived from the source code files 101 by the compiler 102. In anembodiment, the constant table 201 is implemented as an array that mapsan index i to structure j. However, the exact implementation of theconstant table 201 is not critical.

In some embodiments, the entries of the constant table 201 includestructures which index other constant table 201 entries. For example, anentry for one of the value structures 202 representing a string may holda tag identifying its “type” as string and an index to one or more othervalue structures 202 of the constant table 201 storing char, byte or intvalues representing the ASCII characters of the string.

In an embodiment, field reference structures 206 of the constant table201 hold an index into the constant table 201 to one of the classinformation structures 203 representing the class defining the field andan index into the constant table 201 to one of the name and typeinformation structures 205 that provides the name and descriptor of thefield. Method reference structures 207 of the constant table 201 hold anindex into the constant table 201 to one of the class informationstructures 203 representing the class defining the method and an indexinto the constant table 201 to one of the name and type informationstructures 205 that provides the name and descriptor for the method. Theclass information structures 203 hold an index into the constant table201 to one of the value structures 202 holding the name of theassociated class.

The name and type information structures 205 hold an index into theconstant table 201 to one of the value structures 202 storing the nameof the field/method and an index into the constant table 201 to one ofthe value structures 202 storing the descriptor.

In an embodiment, class metadata 204 includes metadata for the class,such as version number(s), number of entries in the constant pool,number of fields, number of methods, access flags (whether the class ispublic, non-public, final, abstract, etc.), an index to one of the classinformation structures 203 of the constant table 201 that identifies thepresent class, an index to one of the class information structures 203of the constant table 201 that identifies the superclass (if any), andso forth.

In an embodiment, the field structures 208 represent a set of structuresthat identifies the various fields of the class. The field structures208 store, for each field of the class, accessor flags for the field(whether the field is static, public, non-public, final, etc.), an indexinto the constant table 201 to one of the value structures 202 thatholds the name of the field, and an index into the constant table 201 toone of the value structures 202 that holds a descriptor of the field.

In an embodiment, the method structures 209 represent a set ofstructures that identifies the various methods of the class. The methodstructures 209 store, for each method of the class, accessor flags forthe method (e.g. whether the method is static, public, non-public,synchronized, etc.), an index into the constant table 201 to one of thevalue structures 202 that holds the name of the method, an index intothe constant table 201 to one of the value structures 202 that holds thedescriptor of the method, and the virtual machine instructions thatcorrespond to the body of the method as defined in the source code files101.

In an embodiment, a descriptor represents a type of a field or method.For example, the descriptor may be implemented as a string adhering to aparticular syntax. While the exact syntax is not critical, a fewexamples are described below.

In an example where the descriptor represents a type of the field, thedescriptor identifies the type of data held by the field. In anembodiment, a field can hold a basic type, an object, or an array. Whena field holds a basic type, the descriptor is a string that identifiesthe basic type (e.g., “B”=byte, “C”=char, “D”=double, “F”=float,“I”=int, “J”=long int, etc.). When a field holds an object, thedescriptor is a string that identifies the class name of the object(e.g. “L ClassName”). “L” in this case indicates a reference, thus “LClassName” represents a reference to an object of class ClassName. Whenthe field is an array, the descriptor identifies the type held by thearray. For example, “[B” indicates an array of bytes, with “[”indicating an array and “B” indicating that the array holds the basictype of byte. However, since arrays can be nested, the descriptor for anarray may also indicate the nesting. For example, “[[L ClassName”indicates an array where each index holds an array that holds objects ofclass ClassName. In some embodiments, the ClassName is fully qualifiedand includes the simple name of the class, as well as the pathname ofthe class. For example, the ClassName may indicate where the file isstored in the package, library, or file system hosting the class file200.

In the case of a method, the descriptor identifies the parameters of themethod and the return type of the method. For example, a methoddescriptor may follow the general form “({ParameterDescriptor})ReturnDescriptor”, where the {ParameterDescriptor} is a list of fielddescriptors representing the parameters and the ReturnDescriptor is afield descriptor identifying the return type. For instance, the string“V” may be used to represent the void return type. Thus, a methoddefined in the source code files 101 as “Object m (int I, double d,Thread t) { . . . }” matches the descriptor “(I D L Thread) L Object”.

In an embodiment, the virtual machine instructions held in the methodstructures 209 include operations which reference entries of theconstant table 201. Using Java as an example, consider the followingclass:

class A { int add12and13( ) { return B.addTwo(12, 13); } }

In the above example, the Java method add12andl3 is defined in class A,takes no parameters, and returns an integer. The body of methodadd12and13 calls static method addTwo of class B which takes theconstant integer values 12 and 13 as parameters, and returns the result.Thus, in the constant table 201, the compiler 102 includes, among otherentries, a method reference structure that corresponds to the call tothe method B.addTwo. In Java, a call to a method compiles down to aninvoke command in the bytecode of the JVM (in this case invokestatic asaddTwo is a static method of class B). The invoke command is provided anindex into the constant table 201 corresponding to the method referencestructure that identifies the class defining addTwo “B”, the name ofaddTwo “addTwo”, and the descriptor of addTwo “(I I)I”. For example,assuming the aforementioned method reference is stored at index 4, thebytecode instruction may appear as “invokestatic #4”.

Since the constant table 201 refers to classes, methods, and fieldssymbolically with structures carrying identifying information, ratherthan direct references to a memory location, the entries of the constanttable 201 are referred to as “symbolic references”. One reason thatsymbolic references are utilized for the class files 103 is because, insome embodiments, the compiler 102 is unaware of how and where theclasses will be stored once loaded into the runtime environment 112. Aswill be described in Section 2.3, eventually the run-time representationof the symbolic references are resolved into actual memory addresses bythe virtual machine 104 after the referenced classes (and associatedstructures) have been loaded into the runtime environment and allocatedconcrete memory locations.

2.2 Example Virtual Machine Architecture

FIG. 3 illustrates an example virtual machine memory layout 300 in blockdiagram form according to an embodiment. In order to provide clearexamples, the remaining discussion will assume that the virtual machine104 adheres to the virtual machine memory layout 300 depicted in FIG. 3.In addition, although components of the virtual machine memory layout300 may be referred to as memory “areas”, there is no requirement thatthe memory areas are contiguous.

In the example illustrated by FIG. 3, the virtual machine memory layout300 is divided into a shared area 301 and a thread area 307. The sharedarea 301 represents an area in memory where structures shared among thevarious threads executing on the virtual machine 104 are stored. Theshared area 301 includes a heap 302 and a per-class area 303. In anembodiment, the heap 302 represents the run-time data area from whichmemory for class instances and arrays is allocated. In an embodiment,the per-class area 303 represents the memory area where the datapertaining to the individual classes are stored. In an embodiment, theper-class area 303 includes, for each loaded class, a run-time constantpool 304 representing data from the constant table 201 of the class,field and method data 306 (for example, to hold the static fields of theclass), and the method code 305 representing the virtual machineinstructions for methods of the class.

The thread area 307 represents a memory area where structures specificto individual threads are stored. In FIG. 3, the thread area 307includes thread structures 308 and thread structures 311, representingthe per-thread structures utilized by different threads. In order toprovide clear examples, the thread area 307 depicted in FIG. 3 assumestwo threads are executing on the virtual machine 104. However, in apractical environment, the virtual machine 104 may execute any arbitrarynumber of threads, with the number of thread structures scaledaccordingly.

In an embodiment, thread structures 308 includes program counter 309 andvirtual machine stack 310. Similarly, thread structures 311 includesprogram counter 312 and virtual machine stack 313. In an embodiment,program counter 309 and program counter 312 store the current address ofthe virtual machine instruction being executed by their respectivethreads.

Thus, as a thread steps through the instructions, the program countersare updated to maintain an index to the current instruction. In anembodiment, virtual machine stack 310 and virtual machine stack 313 eachstore frames for their respective threads that hold local variables andpartial results, and is also used for method invocation and return.

In an embodiment, a frame is a data structure used to store data andpartial results, return values for methods, and perform dynamic linking.A new frame is created each time a method is invoked. A frame isdestroyed when the method that caused the frame to be generatedcompletes. Thus, when a thread performs a method invocation, the virtualmachine 104 generates a new frame and pushes that frame onto the virtualmachine stack associated with the thread.

When the method invocation completes, the virtual machine 104 passesback the result of the method invocation to the previous frame and popsthe current frame off of the stack. In an embodiment, for a giventhread, one frame is active at any point. This active frame is referredto as the current frame, the method that caused generation of thecurrent frame is referred to as the current method, and the class towhich the current method belongs is referred to as the current class.

2.3 Loading, Linking, and Initializing

In an embodiment, the virtual machine 104 dynamically loads, links, andinitializes classes. Loading is the process of finding a class with aparticular name and creating a representation from the associated classfile 200 of that class within the memory of the runtime environment 112.For example, creating the run-time constant pool 304, method code 305,and field and method data 306 for the class within the per-class area303 of the virtual machine memory layout 300. Linking is the process oftaking the in-memory representation of the class and combining it withthe run-time state of the virtual machine 104 so that the methods of theclass can be executed. Initialization is the process of executing theclass constructors to set the starting state of the field and methoddata 306 of the class and/or create class instances on the heap 302 forthe initialized class.

The following are examples of loading, linking, and initializingtechniques that may be implemented by the virtual machine 104. However,in many embodiments the steps may be interleaved, such that an initialclass is loaded, then during linking a second class is loaded to resolvea symbolic reference found in the first class, which in turn causes athird class to be loaded, and so forth. Thus, progress through thestages of loading, linking, and initializing can differ from class toclass. Further, some embodiments may delay (perform “lazily”) one ormore functions of the loading, linking, and initializing process untilthe class is actually required. For example, resolution of a methodreference may be delayed until a virtual machine instruction invokingthe method is executed. Thus, the exact timing of when the steps areperformed for each class can vary greatly between implementations.

To begin the loading process, the virtual machine 104 starts up byinvoking the class loader 107 which loads an initial class. Thetechnique by which the initial class is specified will vary fromembodiment to embodiment. For example, one technique may have thevirtual machine 104 accept a command line argument on startup thatspecifies the initial class.

To load a class, the class loader 107 parses the class file 200corresponding to the class and determines whether the class file 200 iswell-formed (meets the syntactic expectations of the virtual machine104). If not, the class loader 107 generates an error. For example, inJava the error might be generated in the form of an exception which isthrown to an exception handler for processing. Otherwise, the classloader 107 generates the in-memory representation of the class byallocating the run-time constant pool 304, method code 305, and fieldand method data 306 for the class within the per-class area 303.

In some embodiments, when the class loader 107 loads a class, the classloader 107 also recursively loads the super-classes of the loaded class.For example, the virtual machine 104 may ensure that the superclasses ofa particular class are loaded, linked, and/or initialized beforeproceeding with the loading, linking and initializing process for theparticular class.

During linking, the virtual machine 104 verifies the class, prepares theclass, and performs resolution of the symbolic references defined in therun-time constant pool 304 of the class.

To verify the class, the virtual machine 104 checks whether thein-memory representation of the class is structurally correct. Forexample, the virtual machine 104 may check that each class except thegeneric class Object has a superclass, check that final classes have nosub-classes and final methods are not overridden, check whether constantpool entries are consistent with one another, check whether the currentclass has correct access permissions for classes/fields/structuresreferenced in the constant pool 304, check that the virtual machine 104code of methods will not cause unexpected behavior (e.g. making sure ajump instruction does not send the virtual machine 104 beyond the end ofthe method), and so forth. The exact checks performed duringverification are dependent on the implementation of the virtual machine104. In some cases, verification may cause additional classes to beloaded, but does not necessarily require those classes to also be linkedbefore proceeding. For example, assume Class A contains a reference to astatic field of Class B. During verification, the virtual machine 104may check Class B to ensure that the referenced static field actuallyexists, which might cause loading of Class B, but not necessarily thelinking or initializing of Class B. However, in some embodiments,certain verification checks can be delayed until a later phase, such asbeing checked during resolution of the symbolic references. For example,some embodiments may delay checking the access permissions for symbolicreferences until those references are being resolved.

To prepare a class, the virtual machine 104 initializes static fieldslocated within the field and method data 306 for the class to defaultvalues. In some cases, setting the static fields to default values maynot be the same as running a constructor for the class. For example, theverification process may zero out or set the static fields to valuesthat the constructor would expect those fields to have duringinitialization.

During resolution, the virtual machine 104 dynamically determinesconcrete memory address from the symbolic references included in therun-time constant pool 304 of the class. To resolve the symbolicreferences, the virtual machine 104 utilizes the class loader 107 toload the class identified in the symbolic reference (if not alreadyloaded). Once loaded, the virtual machine 104 has knowledge of thememory location within the per-class area 303 of the referenced classand its fields/methods. The virtual machine 104 then replaces thesymbolic references with a reference to the concrete memory location ofthe referenced class, field, or method. In an embodiment, the virtualmachine 104 caches resolutions to be reused in case the sameclass/name/descriptor is encountered when the virtual machine 104processes another class. For example, in some cases, class A and class Bmay invoke the same method of class C. Thus, when resolution isperformed for class A, that result can be cached and reused duringresolution of the same symbolic reference in class B to reduce overhead.

In some embodiments, the step of resolving the symbolic referencesduring linking is optional. For example, an embodiment may perform thesymbolic resolution in a “lazy” fashion, delaying the step of resolutionuntil a virtual machine instruction that requires the referencedclass/method/field is executed.

During initialization, the virtual machine 104 executes the constructorof the class to set the starting state of that class. For example,initialization may initialize the field and method data 306 for theclass and generate/initialize any class instances on the heap 302created by the constructor. For example, the class file 200 for a classmay specify that a particular method is a constructor that is used forsetting up the starting state. Thus, during initialization, the virtualmachine 104 executes the instructions of that constructor.

In some embodiments, the virtual machine 104 performs resolution onfield and method references by initially checking whether thefield/method is defined in the referenced class. Otherwise, the virtualmachine 104 recursively searches through the super-classes of thereferenced class for the referenced field/method until the field/methodis located, or the top-level superclass is reached, in which case anerror is generated.

3. Module Elements of a Module in a Module System

One or more embodiments are applicable to a module system. Each modulewithin a module system corresponds to a respective set of code (referredto as “module code”). Each module is associated with one or more moduleelements. A module element, as referred to herein, corresponds to aportion of the module code. A module element (portion of module code)may itself include additional module elements (sub-portions of modulecode).

Module systems implemented in different programming languages may bedefined with different types of module elements. Some examples,described herein, refer to the specific module elements of a module in aJava Module System for purposes of explanation. However, embodiments areequally applicable to module elements of different types in modulesystems implemented in other programming languages.

In the Java Module System, each module includes one or more packages.Each package includes one or more classes. Each class includes one ormore class members such as fields and methods. Methods, as referred toherein, include constructors which may be invoked for the creation of anobject by instantiating classes. A module element, as referred to hereinwith respect to the Java Module System, may include a package, a class,or a class member.

Exposing Module Elements

In an embodiment, a module element of a module may or may not be exposedto another module. In the Java Module System, a package may be exposedby a module when a module descriptor, corresponding to the module,includes an “exports” expression with the package identified as aparameter. The package may be exported to a set of specified modules(referred to as “qualified export”) or to all other modules in themodule system (referred to as “unqualified export”).

The module element, of a provider module, may be exposed to a consumermodule by the provider module if any of a set of conditions are met. Theset of conditions may include, but are not limited to (a) a declarationwithin the descriptor of the provider module that exposes the moduleelement to the consumer module via a qualified or unqualified export,(b) a user instruction received via an interface (e.g., a command lineinterface), (c) a determination by the run-time environment based ondetection of a triggering event associated with permissions for exposingthe module element, or (d) any other instruction that instructs a modulesystem to expose the module element.

A particular module element may be exposed by exposing of the particularmodule element itself or by exposing another module element whichincludes the particular module element. In one example, a class may beexposed by exposing a package which includes the class. Class members ofthe class are also exposed by exposing of the package which includes theclass.

One or more embodiments relate to accessing module elements of a modulein a module system. The module attempting the access is referred toherein as a consumer module and the module being accessed is referred toherein as a provider module. A module may function as either a consumermodule or provider module for different access operations.

In an embodiment, determining whether a module element of a providermodule may be accessed by a consumer module is based, at least in part,on whether the module element in the provider module as been exposed tothe consumer module. Access controls which determine whether a moduleelement of a provider module can be accessed by a consumer module arefurther described in Section 5. “Controlling Access to Module Elements.”

Access Modifiers for Module Elements

In an embodiment, a module element is declared with an access modifier.The access modifier identifies an accessibility configuration of themodule element. The accessibility configuration declares that the moduleelement is (a) publicly accessible or (b) not publicly accessible. Inone example, the modifier “public” indicates that a module element ispublicly accessible and the modifier “private” indicates that the moduleelement is not publicly accessible. However, the declared accessmodifier does not by itself control whether the module element isaccessible or inaccessible from outside of the module. Access controlswhich determine whether a module element of a provider module can beaccessed by a consumer module are further described in Section 5.“Controlling Access to Module Elements.”

4. Operations which May Require Accessing a Module Element of A ProviderModule by a Consumer Module

In an embodiment, different kinds of operations require access to amodule element of a provider module by a consumer module.

Operations may be performed on byte code to enumerate, analyze, and/orcategorize sections of the byte code. Some examples of operations foraccessing module elements include reflection operations identified inthe Java reflection API.

In an embodiment, an operation includes getting or setting a value of amodule element where (a) the module element represents a field, (b) thegetting or setting is performed with respect to an object, and (c) theobject is an instance of another module element (e.g., a class whichincludes the field). An example set of operations include, but are notlimited to:

-   -   (a) getField(String name): Returns a Field object that reflects        the specified field of the class or interface represented by the        Class object upon which the command is executed.    -   (b) getFields( ): Returns an array containing Field objects        reflecting all the fields of the class or interface represented        by the Class object upon which the command is executed.    -   (c) getDeclaredFields( ): Returns an array of Field objects        reflecting all the fields declared by the class or interface        represented by the Class object upon which the command is        executed.    -   (d) getDeclaredMethods( ): Returns an array of Method objects        reflecting all the methods declared by the class or interface        represented by the Class object upon which the command is        executed.    -   (e) getSuperclass( ): Returns the Class representing the        superclass of the entity (class, interface, primitive type or        void) represented by the Class upon which the command is        executed.    -   (f) set(Object obj, Object value): Sets the value of the field        represented by the Field object upon which the command is        executed, on the specified object argument to the specified new        value.    -   (g) get(Object obj): Returns the value of the field represented        by the Field upon which the command is executed, on the        specified object.

In an embodiment, an operation includes a consumer module invoking themodule element of a provider module. Module elements which are methodsmay be invoked with or without reflection techniques. One examplecommand for invoking a method using reflection includesjava.lang.reflect.Method.invoke( ). The first argument is the objectinstance on which a particular method is to be invoked. If the method isstatic, the first argument may be null. Subsequent arguments are themethod's parameters.

In an embodiment, an operation includes a consumer module instantiatingthe module element of a provider module. A class (first module elementof provider module) may be instantiated by a consumer module by invokinga constructor (second module element of provider module) of the class.

In an example, a class Spaceship is a first module element in a providermodule. The class Spaceship includes a second module element which is amethod declaration fireMissile( ). A separate class CommandCenter is amodule element in a consumer module. The class CommandCenter (moduleelement of consumer module) may include operations to (a) instantiate anobject of type Spaceship (module element of provider module) and (b)invoke the method fireMissile( ) (module element of provider module) onthe instance of SpaceShip from (a).

5. Controlling Access to Module Elements

As noted above, one or more operations require access to a moduleelement of a provider module by a consumer module. One or moreembodiments include controlling access to the module element of theprovider module by the consumer module. Controlling access includesallowing access or prohibiting access. If access to the module elementof the provider module by the consumer module is allowed, then theoperation is successfully compiled or executed. If the access to themodule element of the provider module by the consumer module isprohibited, then the operation may not successfully compile and/or maynot successfully execute. Factors, as described herein, for controllingaccess to a particular type of module element may be applicable forcontrolling access to another type of module element.

FIG. 4 illustrates an example of a module in the Java Module System inaccordance with one or more embodiments. Other modules (defined usingthe Java Module System or other module systems) may include more, less,and/or different module elements than illustrated in FIG. 4. A module(e.g., module 402) may include any number of packages. A package (e.g.,package 404) may include any number of classes. A class (e.g., class406) may include any number of class members (e.g., class member 408).

One or more embodiments include controlling access to module elements(i.e., package 404, class 406, or class member 408) of a provider module(e.g., module 402) by a consumer module (e.g., module 430). In order formodule 430 to access class member 408 of module 402, module 430 may needaccess permissions to access (a) class member 408 itself, (b) class 406which includes class member 408, and (c) package 404 which includesclass 406. Furthermore, access controls applicable to a module element(e.g., class 406) may determine whether an operation that accesses anobject, created by instantiating the module element, is allowed orprohibited. In an example, access to obtain or modify a value of fieldof an object is allowed or prohibited based on access controls for theparticular class which is instantiated to create the object.

FIG. 5 illustrates an example set of steps for allowing or prohibitingaccess to a module element of a provider module by a consumer module.Steps described below with reference to FIG. 5 may be performed prior toand/or during runtime. A compiler, interpreter, and/or runtimeenvironment may perform one or more of the steps described below.

Initially, an operation by a consumer module that attempts to access amodule element of a provider module is identified (Step 502). Theoperation may be identified by a compiler during a compilation process.The operation may be identified by the runtime environment whenexecution of the operation is requested. Some examples of kinds ofoperations which require access to a module element are indicated abovein Section 4, titled “Operations which may require accessing a moduleelement of a provider module by a consumer module.”

Responsive to identifying an operation by a consumer module thatattempts to access a module element of a provider module, a check isnecessary to determine if the consumer module has the necessarypermissions to access the module element of the provider module. Thecheck is a multi-step process as described below.

In an embodiment, a determination is made whether the module element ofthe provider module has been exposed to the consumer module (Step 504).As noted above, a particular module element of a provider module may beexposed to the consumer module if either (a) the particular moduleelement has itself been exposed to the consumer module or (b) if asecond module element which includes the particular module element hasbeen exposed to the consumer module. In the Java module system, if apackage in a provider module has been exposed to a consumer module, thenall of the classes within the package and the class members within theclasses have been exposed to the consumer module. In the exampleillustrated in FIG. 4, exposing package 404 of module 402 to module 430includes exposing class 406 and class 408 to module 430. Package 404 ofmodule 402 may be exposed to module 430 with a qualified export whichspecifically identifies module 430. Package 404 of module 402 may beexposed to module 430 with an unqualified export to all modules in themodule system (without specifically identifying module 430).

If the module element of the provider module has not been exposed to theconsumer module, then the consumer module is strictly prohibited fromaccessing the module element of the provider module (Step 506). Accessto the module element of the provider module by the consumer module isstrictly prohibited regardless of (a) an access modifier in the moduleelement declaration, (b) an accessibility override configurationexpressed for the module element (described below), or (c) a level ofaccess associated with the operation that attempts to access the moduleelement (described below). Strictly prohibiting access may includegenerating a compile time error and/or runtime error (e.g., throwing anexception) which prevents execution of an operation that attempts toaccess the module element.

In the example illustrated in FIG. 4, if class member 408 has not beenexposed to module 430, then access to class member 408 by module 430 isstrictly prohibited. The strict prohibition to non-exposed class member408 is applicable even if (a) class member 408 and class 406 aredeclared with public access modifiers (b) an accessibility overrideconfiguration is set to override any non-public access modifiers, and(c) the attempt to access class member 408 relies upon an operation witha highest possible level of access. Similarly, if class 406 has not beenexposed to module 430, then access to class 406 by module 430 isstrictly prohibited.

If a determination is made in Operation 504 that the module element ofthe provider module has been exposed to the consumer module, then accessmay or may not be allowed. In other words, exposing of the moduleelement of the provider module to the consumer module does not guaranteethat the consumer module is allowed to access the module element.Allowing or prohibiting access to the exposed module element of theprovider module by the consumer module depends on a set of factors asdescribed below.

In an embodiment, a determination is made whether the exposed moduleelement is declared with a public access modifier (Step 508). The moduleelement declaration may be examined to determine if a public accessmodifier or a non-public access modifier is configured for the exposedmodule element. Furthermore, if the exposed module element is includedwithin another parent module element with an access modifier, then acheck is performed to determine if the declaration of the parent moduleelement includes a public access modifier or a non-public accessmodifier. For example, if the exposed module element is a class memberof particular class, then the access modifier of each of the classmember declaration and the class declaration are examined to determineif both include public access modifiers.

If the module element (and any parent module element with an accessmodifier) is (are) declared with a public access modifier, then accessto the module element of the provider module by the consumer module isallowed (Step 514). Allowing access to the module element of theprovider module by the consumer module allows for successful compilationand/or execution of the operation, which attempts to access the moduleelement.

If the exposed module element (or if any parent module element of themodule element) are declared with a non-public access modifier, thenadditional analysis is needed to determine if access to the exposedmodule element is to be allowed or prohibited. Access to the exposedmodule element with a non-public access modifier may depend on a levelof access associated with the operation attempting access. FIG. 5defines an operation, with a minimum level of access required to accessan exposed module element with a non-public modifier, as a reflectiveoperation with an accessibility override configuration set for theexposed module element (detailed below). However, other embodiments areequally applicable to any system in which different operations areassociated with different levels of access. For example, a firstoperation (in a consumer module) with a first level of access is allowedto access a non-public class member of a public class in an exposedpackage of a provider module. However, the first operation with thefirst level of access is prohibited from accessing a non-public classmember of a non-public class in the exposed package of the providermodule. A second operation (in the same consumer module) with a secondlevel of access (higher than the first level of access) is allowed toaccess the non-public class member of the non-public class in theexposed package of the provider module. Accordingly, the specificoperations 510 and 512 of FIG. 5 described below should be understood asan example set of rules for determining access to an exposed moduleelement with a non-public modifier. The specific operations 510 and 512should not be construed as limiting the scope of other embodiments inwhich operations are defined with a different set of access levels.

Continuing with FIG. 5, in an embodiment, an exposed module element witha non-public access modifier may be accessible if (a) the operation is areflective operation (Step 510) and (b) an accessibility overrideconfiguration is set for the exposed module element being accessed (Step512). Accordingly, if the operation is a reflective operation with anaccessibility override configuration set for the module element beingaccessed, then access to the module element is allowed (Step 514). In anembodiment, an accessibility override configuration is available to aconsumer module for accessing a module element of a provider module. Theaccessibility override configuration may be available to the consumermodule independent of any configuration for the provider module eventhough the accessibility override configuration is being set to accessthe module element of the provider module.

In an example, a reflective operation (from the Java reflection API)includes get(Object obj) which returns the value of the fieldrepresented by the Field (on which the command is executed), on thespecified object. The reflective operation further includessetAccessible( ) which sets the accessibility override configuration forthe exposed module element with a non-public modifier. The reflectiveoperation with the accessibility override configuration is allowed toaccess the exposed module element with a non-public modifier. Theexposed module element being an element of a provider module which isbeing accessed by a consumer module.

6. Miscellaneous; Extensions

Embodiments are directed to a system with one or more devices thatinclude a hardware processor and that are configured to perform any ofthe operations described herein and/or recited in any of the claimsbelow.

In an embodiment, a non-transitory computer readable storage mediumcomprises instructions which, when executed by one or more hardwareprocessors, causes performance of any of the operations described hereinand/or recited in any of the claims.

Any combination of the features and functionalities described herein maybe used in accordance with one or more embodiments. In the foregoingspecification, embodiments have been described with reference tonumerous specific details that may vary from implementation toimplementation. The specification and drawings are, accordingly, to beregarded in an illustrative rather than a restrictive sense. The soleand exclusive indicator of the scope of the invention, and what isintended by the applicants to be the scope of the invention, is theliteral and equivalent scope of the set of claims that issue from thisapplication, in the specific form in which such claims issue, includingany subsequent correction.

7. Hardware Overview

According to one embodiment, the techniques described herein areimplemented by one or more special-purpose computing devices. Thespecial-purpose computing devices may be hard-wired to perform thetechniques, or may include digital electronic devices such as one ormore application-specific integrated circuits (ASICs) or fieldprogrammable gate arrays (FPGAs) that are persistently programmed toperform the techniques, or may include one or more general purposehardware processors programmed to perform the techniques pursuant toprogram instructions in firmware, memory, other storage, or acombination. Such special-purpose computing devices may also combinecustom hard-wired logic, ASICs, or FPGAs with custom programming toaccomplish the techniques. The special-purpose computing devices may bedesktop computer systems, portable computer systems, handheld devices,networking devices or any other device that incorporates hard-wiredand/or program logic to implement the techniques.

For example, FIG. 6 is a block diagram that illustrates a computersystem 600 upon which an embodiment of the invention may be implemented.Computer system 600 includes a bus 602 or other communication mechanismfor communicating information, and a hardware processor 604 coupled withbus 602 for processing information. Hardware processor 604 may be, forexample, a general purpose microprocessor.

Computer system 600 also includes a main memory 606, such as a randomaccess memory (RAM) or other dynamic storage device, coupled to bus 602for storing information and instructions to be executed by processor604. Main memory 606 also may be used for storing temporary variables orother intermediate information during execution of instructions to beexecuted by processor 604. Such instructions, when stored innon-transitory storage media accessible to processor 604, rendercomputer system 600 into a special-purpose machine that is customized toperform the operations specified in the instructions.

Computer system 600 further includes a read only memory (ROM) 608 orother static storage device coupled to bus 602 for storing staticinformation and instructions for processor 604. A storage device 610,such as a magnetic disk or optical disk, is provided and coupled to bus602 for storing information and instructions.

Computer system 600 may be coupled via bus 602 to a display 612, such asa cathode ray tube (CRT), for displaying information to a computer user.An input device 614, including alphanumeric and other keys, is coupledto bus 602 for communicating information and command selections toprocessor 604. Another kind of user input device is cursor control 616,such as a mouse, a trackball, or cursor direction keys for communicatingdirection information and command selections to processor 604 and forcontrolling cursor movement on display 612. This input device typicallyhas two degrees of freedom in two axes, a first axis (e.g., x) and asecond axis (e.g., y), that allows the device to specify positions in aplane.

Computer system 600 may implement the techniques described herein usingcustomized hard-wired logic, one or more ASICs or FPGAs, firmware and/orprogram logic which in combination with the computer system causes orprograms computer system 600 to be a special-purpose machine. Accordingto one embodiment, the techniques herein are performed by computersystem 600 in response to processor 604 executing one or more sequencesof one or more instructions contained in main memory 606. Suchinstructions may be read into main memory 606 from another storagemedium, such as storage device 610. Execution of the sequences ofinstructions contained in main memory 606 causes processor 604 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “storage media” as used herein refers to any non-transitorymedia that store data and/or instructions that cause a machine tooperation in a specific fashion. Such storage media may comprisenon-volatile media and/or volatile media. Non-volatile media includes,for example, optical or magnetic disks, such as storage device 610.Volatile media includes dynamic memory, such as main memory 606. Commonforms of storage media include, for example, a floppy disk, a flexibledisk, hard disk, solid state drive, magnetic tape, or any other magneticdata storage medium, a CD-ROM, any other optical data storage medium,any physical medium with patterns of holes, a RAM, a PROM, and EPROM, aFLASH-EPROM, NVRAM, any other memory chip or cartridge.

Storage media is distinct from but may be used in conjunction withtransmission media. Transmission media participates in transferringinformation between storage media. For example, transmission mediaincludes coaxial cables, copper wire and fiber optics, including thewires that comprise bus 602. Transmission media can also take the formof acoustic or light waves, such as those generated during radio-waveand infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 604 for execution. For example,the instructions may initially be carried on a magnetic disk or solidstate drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 600 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 602. Bus 602 carries the data tomain memory 606, from which processor 604 retrieves and executes theinstructions. The instructions received by main memory 606 mayoptionally be stored on storage device 610 either before or afterexecution by processor 604.

Computer system 600 also includes a communication interface 618 coupledto bus 602. Communication interface 618 provides a two-way datacommunication coupling to a network link 620 that is connected to alocal network 622. For example, communication interface 618 may be anintegrated services digital network (ISDN) card, cable modem, satellitemodem, or a modem to provide a data communication connection to acorresponding kind of telephone line. As another example, communicationinterface 618 may be a local area network (LAN) card to provide a datacommunication connection to a compatible LAN. Wireless links may also beimplemented. In any such implementation, communication interface 618sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

Network link 620 typically provides data communication through one ormore networks to other data devices. For example, network link 620 mayprovide a connection through local network 622 to a host computer 624 orto data equipment operated by an Internet Service Provider (ISP) 626.ISP 626 in turn provides data communication services through the worldwide packet data communication network now commonly referred to as the“Internet” 628. Local network 622 and Internet 628 both use electrical,electromagnetic or optical signals that carry digital data streams. Thesignals through the various networks and the signals on network link 620and through communication interface 618, which carry the digital data toand from computer system 600, are example forms of transmission media.

Computer system 600 can send messages and receive data, includingprogram code, through the network(s), network link 620 and communicationinterface 618. In the Internet example, a server 630 might transmit arequested code for an application program through Internet 628, ISP 626,local network 622 and communication interface 618.

The received code may be executed by processor 604 as it is received,and/or stored in storage device 610, or other non-volatile storage forlater execution.

In the foregoing specification, embodiments of the invention have beendescribed with reference to numerous specific details that may vary fromimplementation to implementation. The specification and drawings are,accordingly, to be regarded in an illustrative rather than a restrictivesense. The sole and exclusive indicator of the scope of the invention,and what is intended by the applicants to be the scope of the invention,is the literal and equivalent scope of the set of claims that issue fromthis application, in the specific form in which such claims issue,including any subsequent correction.

What is claimed is:
 1. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of steps comprising: identifying an operation, expressed in a first module, wherein execution of the operation requires access to a module element of a second module; wherein, in absence of any modular boundary associated with the module element, a non-module-specific accessibility configuration associated with the module element controls the access to the module element; wherein, if a module boundary associated with the module element is present, the non-module-specific accessibility configuration associated with the module element controls the access to the module element if the module boundary associated with the module element permits the access to the module element; determining that the operation is associated with a highest possible level of non-module-specific access; determining whether the module element is exposed by the second module to the first module based on the module boundary associated with the module element; responsive to determining that the module element is not exposed by the second module to the first module based on the module boundary associated with the module element: prohibiting the operation.
 2. The medium of claim 1, wherein a compiler enforces control of the access to the module element based on (a) any modular boundary associated with the module element and (b) the non-module-specific accessibility configuration associated with the module element.
 3. The medium of claim 1, wherein a run-time environment enforces control of the access to the module element based on (a) any modular boundary associated with the module element and (b) the non-module-specific accessibility configuration associated with the module element.
 4. The medium of claim 1, wherein the prohibiting step comprises: refraining from compiling a set of code that includes the first module and the second module.
 5. The medium of claim 1, wherein the prohibiting step comprises: refraining from executing the operation.
 6. The medium of claim 1, wherein the prohibiting step comprises: generating a compile-time error associated with the operation.
 7. The medium of claim 1, wherein the prohibiting step comprises: generating a run-time error associated with the operation.
 8. The medium of claim 1, wherein the steps further comprise: responsive to determining that the module element is exposed by the second module to the first module based on the module boundary associated with the module element: allowing the operation.
 9. The medium of claim 1, wherein the module element is associated with an accessibility override configuration.
 10. The medium of claim 1, wherein the module element is associated with a public modifier.
 11. The medium of claim 1, wherein determining whether the module element is exposed by the second module to the first module based on the module boundary associated with the module element comprises: determining whether a declaration within a module descriptor associated with the second module exposes the module element to the first module.
 12. The medium of claim 1, wherein access to the module element is controlled based at least on a module descriptor associated with the second module.
 13. The medium of claim 1, wherein determining whether the module element is exposed by the second module to the first module based on the module boundary associated with the module element comprises: determining whether a user instruction received via an interface exposes the module element to the first module.
 14. The medium of claim 1, wherein determining whether the module element is exposed by the second module to the first module based on the module boundary associated with the module element comprises: determining whether a triggering event during run-time causes the module element to be exposed to the first module.
 15. A non-transitory computer readable medium comprising instructions which, when executed by one or more hardware processors, cause performance of steps comprising: identifying an operation, expressed in a first module, wherein execution of the operation requires access to a module element of a second module, and wherein access to the module element is controlled by (a) a modular exposure of the module element and (b) a non-modular accessibility configuration associated with the module element; determining that the operation is associated with a particular level of non-modular access that permits access to the module element based on the non-modular accessibility configuration associated with the module element, if access to the module element is permitted based on the modular exposure of the module element; determining whether the module element is exposed by the second module to the first module based on the modular exposure of the module element; responsive to determining that the module element is not exposed by the second module to the first module based on the modular exposure of the module element: prohibiting the operation.
 16. The medium of claim 15, wherein a compiler enforces control of the access to the module element based on (a) the modular exposure of the module element and (b) the non-modular accessibility configuration associated with the module element.
 17. The medium of claim 15, wherein a run-time environment enforces control of the access to the module element based on (a) the modular exposure of the module element and (b) the non-modular accessibility configuration associated with the module element.
 18. The medium of claim 15, wherein the prohibiting step comprises: refraining from compiling a set of code that includes the first module and the second module.
 19. The medium of claim 15, wherein the prohibiting step comprises: refraining from executing the operation.
 20. The medium of claim 15, wherein the steps further comprise: responsive to determining that the module element is exposed by the second module to the first module based on the modular exposure of the module element: allowing the operation.
 21. The medium of claim 15, wherein the operation is a reflective operation.
 22. A system, comprising: at least one device including a hardware processor; and the system being configured to perform steps comprising: identifying an operation, expressed in a first module, wherein execution of the operation requires access to a module element of a second module, and wherein access to the module element is controlled by (a) a modular exposure of the module element and (b) a non-modular accessibility configuration associated with the module element; determining that the operation is associated with a particular level of non-modular access that permits access to the module element based on the non-modular accessibility configuration associated with the module element, if access to the module element is permitted based on the modular exposure of the module element; determining whether the module element is exposed by the second module to the first module based on the modular exposure of the module element; responsive to determining that the module element is not exposed by the second module to the first module based on the modular exposure of the module element: prohibiting the operation. 